Search results

ISO 14001 Examples of providing a strategy for determining the scope of an EMS

I see such variability in certification bodies’ policy about the scope of an environmental management system (EMS) that I recommend contacting your potential certification bodies in order to ask their opinion about your potential choices for the scope.

If this toy manufacturing company has a brand, perhaps it is better to certify all factories, in order to use that in the marketing effort. If this toy manufacturing company has production units working for cost-sensitive clients (B2B) and production units working for demanding clients (B2B) perhaps these latter units are candidates for having an EMS.

Please find more information below:

• Article - How to determine the scope of the EMS according to ISO 14001:2015 - https://advisera.com/14001academy/blog/2016/02/01/how-to-determine-the-scope-of-the-ems-according-to-iso-140012015/
• You can also attend this free course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

Annual Internal audit schedule

ISO 14001:2015, clause 9.2.2, states that “an organization should establish, implement and maintain an internal audit program (s)”. An audit program is a set of one or more audits planned for a specific time frame”, according to ISO 9000:2015.

So, your phrase means that the “EMS Management Representative or designate” should, every year, issue an internal audit program scheduling all audits to be performed, and with what scope for each in order to audit all ISO 14001 requirements.

Please check this article about ISO 9001, but applicable to ISO 14001 too - What is the ISO 9001 audit program, and how does it work? - https://advisera.com/9001academy/blog/2017/01/24/what-is-the-iso-9001-audit-program-and-how-does-it-work/ and this figure:

You can find practical information in the links below:

• Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
• Free webinar on demand - How to perform an ISO 14001:2015 internal audit - https://advisera.com/14001academy/webinar/how-to-perform-an-iso-14001-2015-internal-audit-free-webinar-on-demand/
• You can also attend this free course – ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/

ISO 9001 questions

Neither the IATF 16949:2016 standard nor the IATF Rule 5 have any requirements in this regard.

That is, no restriction has been defined for the number of major or minor nonconformities.

Ratio of successful cyber attacks on organisations who are ISO 27001 certified

Thank you for your comments, it makes perfect sense. 

Implementing Risk clause in food testing laboratory

In your food testing laboratory it starts with knowing the activities of critical importance - typically those tests you are accredited for, as well as for example your data and information management. Then you would do a process flow and consider where the risks may be; for example causing results to deviate. That is followed by deciding what level of risk is acceptable and taking practical actions to reduce the risk to the target level.

Have a look at section 8.5 in the Whitepaper Clause-by-clause explanation of ISO 17025:2017 available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and the ISO 17025 Toolkit preview at https://advisera.com/17025academy/iso-17025-documentation-toolkit/; which includes a procedure and registry for Risks.

Also feel free to join the webinar How to manage risks in laboratories according to ISO 17025, scheduled for 16 February. Registration is available at https://advisera.com/17025academy/webinar/iso-17025-risk-management-how-to-manage-it-free-webinar-on-demand/

QAQC

ISO/IEC 17025 is the ISO standard used by laboratories (testing and calibration). The title is General requirements for the competence of testing and calibration laboratories.

If you are asking how ISO 17025:2017 has changed from the previous version, have a look at the article ISO/IEC 17025:2005 vs. ISO/IEC 17025:2017 revision: What has changed? at https://advisera.com/17025academy/blog/2019/11/13/iso-17025-2017-vs-iso-17025-2005-key-changes-infographic/

If you are asking generally about ISO 17025, have a look at the

• Article What is ISO 17025? at https://advisera.com/17025academy/what-is-iso-17025/; 
• Whitepaper Clause-by-clause explanation of ISO 17025:2017 which will assist you with ISO 17025 awareness, available at https://info.advisera.com/17025academy/free-download/clause-by-clause-explanation-of-iso-17025/ and
• ISO 17025 Toolkit at https://advisera.com/17025academy/iso-17025-documentation-toolkit/

Appendix 3 of Risk Assessment

Considering your stated scenario (i.e., all four risks identified as acceptable), the documents will be filled in as follows:
- Risk Assessment Table (Appendix 1): the four risks must be filled in
- Risk Treatment Table (Appendix 2): no need to include these risks
- Risk Assessment and Treatment Report: no need to include these risks

The main content of the Risk Assessment and Treatment Report does not include the risks themselves, only a description of the used methodology and when it was applied. The risks are listed in Its annexes, the abovementioned Risk Assessment Table and the Risk Treatment Table.

Please note that finding only 4 risks for mobile devices is probably a too low number, and this might be challenged at the certification audit especially if all of these risks are acceptable.

By the way, included in the toolkit you bought, you have access to video tutorials that can help you fill in the Risk Assessment and Risk Treatment tables. 

For further information, see:
- ISO 27001/ISO 27005 risk assessment & treatment – 6 basic steps https://advisera.com/27001academy/knowledgebase/iso-27001-risk-assessment-treatment-6-basic-steps/
- Book ISO 27001 Risk Management in Plain English https://advisera.com/books/iso-27001-annex-controls-plain-english/

This material can also help you:
- The basics of risk assessment and treatment according to ISO 27001 [free webinar on demand] https://advisera.com/27001academy/webinar/basics-risk-assessment-treatment-according-iso-27001-free-webinar-demand/
- ISO 27001:2013 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 27001 conformity

In most countries, the implementation of ISO 27001 is not mandatory. However, some countries have published regulations that require certain industries to implement ISO 27001.

To determine whether ISO 27001 is mandatory or not in your context, you should look for expert legal advice in the country where you operate.

This article may help you:
- List of Legal, Regulatory, Contractual and Other Requirements https://advisera.com/27001academy/documentation/list-of-legal-regulatory-contractual-and-other-requirements/

These articles will provide you a further explanation about ISO 27001:
- What is ISO 27001 https://advisera.com/27001academy/what-is-iso-27001/
- Where to start from with ISO 27001 https://advisera.com/27001academy/knowledgebase/iso-27001-where-to-start-most-important-materials/ 

These materials will also help you regarding ISO 27001:
- Book Secure & Simple: A Small-Business Guide to Implementing ISO 27001 On Your Own https://advisera.com/books/secure-and-simple-a-small-business-guide-to-implementing-iso-27001-on-your-own/
- ISO 27001 Foundations Course https://advisera.com/training/iso-27001-foundations-course/

ISO 9001 Competitor as a interested party

Yes, a competitor can be determined to be an interested party. Please check ISO 9000:2015 definition of the interested party: “organization that can affect, be affected by, or perceive itself to be affected by a decision or activity”. Clearly, a competitor fits the definition.

Remember, ISO 9001:2015 uses the word determine. It’s a decision of the organization.

You can find more information below:

• About context and interested parties you can see this free webinar on-demand - ISO 9001:2015 clause 4 - Context of the organization, interested parties, and scope - - where I present examples of interested parties and their requirements and expectations.
• How to determine interested parties and their requirements according to ISO 9001:2015 - https://advisera.com/9001academy/blog/2015/11/10/how-to-determine-interested-parties-and-their-requirements-according-to-iso-90012015/
• Free online training ISO 9001:2015 Internal Auditor Course: https://advisera.com/training/iso-9001-internal-auditor-course/
• Book - Discover ISO 9001:2015 Through Practical Examples - https://advisera.com/books/discover-iso-9001-2015-through-practical-examples/

ISO 9001 Evidence to support the deficiency in internal audit

As a good practice, search always for evidence to support information collected during an interview. Imagine that when presenting your report, the auditee does not confirm what he or she stated during the interview.

Please check this information below with a more detailed answer:

• Internal Audits in the EMS: Five Main Steps - https://advisera.com/14001academy/blog/2019/08/27/key-iso-14001-benefits-to-customers/nowledgebase/internal-audits-in-the-ems-five-main-steps/
• Enroll for free in ISO 14001:2015 Internal Auditor Course - https://advisera.com/training/iso-14001-internal-auditor-course/
• Book - ISO internal audit: A plain English guide: https://advisera.com/books/iso-internal-audit-plain-english-guide/